Looking for router advice before moving to AT&T fiber

Discussion in 'Networking' started by Loren, Jun 17, 2019.

  1. Gene

    Gene Active Member

    Joined:
    Jan 27, 2016
    Messages:
    166
    Likes Received:
    29
    Yep that was it baud rate of 115200 worked. I now have valid certs and mfg.dat for the 210. I must be doing something wrong in supplicant mode of pfsense. It hangs at waiting for eap to authorize when using the script. Bah
     
    #61
  2. mb300sd

    mb300sd Active Member

    Joined:
    Aug 1, 2016
    Messages:
    190
    Likes Received:
    65
    Skip the script and do

    sudo /sbin/wpa_supplicant -dd -Dwired -ieth0 -c wpa_supplicant.conf

    on the command line, should tell you where it's hanging. Make sure you didn't get any 0-byte .cer files, it seems the 210 linux doesn't unmount the partition correctly. Running sync before unmounting might help.
     
    #62
  3. Gene

    Gene Active Member

    Joined:
    Jan 27, 2016
    Messages:
    166
    Likes Received:
    29
    Yep all 0 bytes on the .der files ill give sync a shot. The mfg.dat came through ok

    I copied over the files a few different ways. That and typeing "sync" before the umount seemed to fix it. So finally have the valid .der files
     
    #63
    Last edited: Jul 14, 2019
  4. mb300sd

    mb300sd Active Member

    Joined:
    Aug 1, 2016
    Messages:
    190
    Likes Received:
    65
    The der files are universal, so you can use the ones from the 589 with the mfg.dat from the 210 if you need to.
     
    #64
  5. Kev

    Kev Active Member

    Joined:
    Feb 16, 2015
    Messages:
    318
    Likes Received:
    46
    So are you saying you don't need the script to create a netgraph interface in pfSense if you are doing wpa_supplicant?

    Cheers,
    Kevin
     
    #65
  6. mb300sd

    mb300sd Active Member

    Joined:
    Aug 1, 2016
    Messages:
    190
    Likes Received:
    65
    Not sure - I'm not running pfsense. But the wpa_supplicant alone should tell you why it hangs. I think the netgraph had something to do with vlan 0 on bsd, so you probably need it to actually access the internet.
     
    #66
  7. Kev

    Kev Active Member

    Joined:
    Feb 16, 2015
    Messages:
    318
    Likes Received:
    46
    OK, so I finally got WPA authenticated using a sandbox pFSenese install on my ESXI server and I passed one port over. igb0 is connected to my ONT and i'm trying to get a DHCP address on ngeth0. I had to fix the pfatt.sh script to run wpa_supplicant on the ONT (igb0) instead of ngeth0 because WPA packets don't need tagging with VLAN0. After wpa_cli status says i'm authenticated, I see DHCP requests from mac address that matches my RG but i see no replies. I see the traffic on ngeth0 with no tags and igb0 with VLAN0, P0 tagging so everything seems to work.

    Now i'm pretty much stuck with the WPA authenticated but don't see any DHCP replies. I wonder if the ONT is really tagging all traffic with VLAN0?
     
    #67
  8. das1996

    das1996 New Member

    Joined:
    Sep 4, 2018
    Messages:
    19
    Likes Received:
    2
    ^^You shouldn't be mixing the wpa_supplicant method with netgraph. Get rid of all the netgraph stuff and retest.
     
    #68
  9. Kev

    Kev Active Member

    Joined:
    Feb 16, 2015
    Messages:
    318
    Likes Received:
    46
    I thought Netgraph was still needed to tag the traffic with vlan0 priority 0 traffic and there is no way to do that in pfsense without Netgraph.
     
    #69
  10. das1996

    das1996 New Member

    Joined:
    Sep 4, 2018
    Messages:
    19
    Likes Received:
    2
    If running bare metal, you need a dumb switch between the ont and pfsense, but 802.1x auth does work. Under esxi no dumb switch is needed. Such was my experience in testing (under esxi).
     
    #70
  11. Kev

    Kev Active Member

    Joined:
    Feb 16, 2015
    Messages:
    318
    Likes Received:
    46
    Hrm, somehow you are right. In ESXI, I just added a new e1000e interface and connected the ONT to it and ran wpa_supplicant and it authorized. When I was using Netgraph, I could see tagged traffic but it looks like esxi vswitch might just strip these tags off and everything is okay. I got dhcpv4 and dhcpv6 going.

    Now I have to figure out how to add my /29 static addresses.

    Oh, I tried vmxnet3 adapter and it didn’t authorize. I might have to go back and check on this one.
     
    #71
  12. marcoi

    marcoi Well-Known Member

    Joined:
    Apr 6, 2013
    Messages:
    1,332
    Likes Received:
    205
    I got the static ip finally working in pfsense. I believe. Lol

    I created an interface called staticIPs.
    I assigned it my last usable address in block which for me was .70 /29 (i have an 8 static block)
    I also added under the static IPv4 gateway the broadcast IP which for me was .71

    On my Sophos UTM, i manually configured the WAN IP to .65 /29 with gateway of .70
     
    #72
  13. Kev

    Kev Active Member

    Joined:
    Feb 16, 2015
    Messages:
    318
    Likes Received:
    46
    How does it know to route on the wan interface if a new static interface is created?

    I’m thinking ip alias or something else on the wan interface.
     
    #73
  14. marcoi

    marcoi Well-Known Member

    Joined:
    Apr 6, 2013
    Messages:
    1,332
    Likes Received:
    205
    @Kev Not sure if i am answering your question but the way i have it, i have a FW rule on WAN to allow traffic in on .65 IP and Port 7443
    The rule is setup as source =any / Dest = single host and .65 IP. Dest Port =other 7443.
    Under the StaticIP i have rule to allow all traffic
    Source = StaticIP / Dest = any

    I dont have any alias setup.

    With the Configuration i have now, any pc connected to my Sophos UTM is now showing IP address of .65 on whoami vs before i got the standard DHCP IP address.

    Hope that helps.
     
    #74
  15. mb300sd

    mb300sd Active Member

    Joined:
    Aug 1, 2016
    Messages:
    190
    Likes Received:
    65
    Doing some server upgrades. The Hyper-V switch in Server 2019 now supports passing through 802.1x, so no more need to do DDA to the VM.

    802.1x Support with the Hyper-V switch is here! - Working Hard In IT

    You just need 1 registry entry and reboot.
    Code:
    reg add “HKEY_LOCAL_MACHINE\SYSTEM\CURRENTControlSet\Services\vmsmp\parameters” /v 8021xEnabled /t REG_DWORD /d 1 /f
    Apparently the Intel X722 adapter on my new system strips vlan 0 tags on it's own. It happened with both PCIe passthrough and with the HV switch. Thankfully AT&T doesn't seem to care if you send the outgoing packets untagged. I didn't want to waste a PCIe slot for a different NIC.
     
    #75
  16. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    1,352
    Likes Received:
    1,089
    well that's quite the development...I was really wanting to terminate ATT's fiber right on my ICX6610's so I don't need another linux box/vm and all that crap just to terminate it - the brocades will take a GPON SFP and will do 802.1x authentication and termination right onboard - however I ruled it out because they will not allow you to tag packets on vlan 0. Your discovery makes me wonder if it's worth trying now - the big question is fastiron's treatment of packets coming in tagged with vlan0. only one way to find out I guess
     
    #76
  17. mb300sd

    mb300sd Active Member

    Joined:
    Aug 1, 2016
    Messages:
    190
    Likes Received:
    65
    From what I can tell from the 802.1p spec, vlan 0 means no vlan but uses the tag for the QoS portion. Seems to be how AT&T's upstream equipment is handling it. Maybe the ICX6610 will strip the tag automatically as well for incoming packets? I'd try sending tagged frames in with Linux and see how they come out another port.

    Please let me know if you can get a GPON SFP working. I worked out how to clone the SLID and serial number on the ONT, but could never get mine to link up. Maybe it was just an incompatible model. I have way too many firewall rules to want to use a L3 switch as my main router, but getting rid of non-rackable bits makes the place look nicer.
     
    #77
  18. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    1,352
    Likes Received:
    1,089
    It definitely wouldn't be used as the main router, just terminating it from GPON to my WAN vlan that gets passed to my hypervisor cluster where my actual routers sit. Would make it a lot easier if I could handle the gpon and 802.1x in hardware on a switch and just hand off a regular vlan like I already am (DOCSIS in this case), but I think it may be a while until I get the free time to test. What switch did you test with? I thought I remembered reading others using generic GPON SFP optics out of the box without needing to clone any serials or anything like that
     
    #78
  19. mb300sd

    mb300sd Active Member

    Joined:
    Aug 1, 2016
    Messages:
    190
    Likes Received:
    65
    I had it in a Mellanox CX3. Might give it another shot at the other house and see if I can see any packets with it plugged into the 6610. If I can even find where the SFP went.
     
    #79
  20. mb300sd

    mb300sd Active Member

    Joined:
    Aug 1, 2016
    Messages:
    190
    Likes Received:
    65
    It does appear that the ICX6610 removes the vlan 0 tag. I just did a simple "arping -i eth0.0 10.1.1.103 -S 10.1.1.153" and I can see the packets in Wireshark on my untagged interfaces.
     
    #80
    fohdeesha likes this.
Similar Threads: Looking router
Forum Title Date
Networking Looking for recommendations: QUAD WAN router? Oct 31, 2018
Networking Looking for Microsemi SyncServer S600 firmware Oct 16, 2019
Networking [EU] Looking for cheap SFP+ switches and QSFP+ backbone switch Jun 15, 2019
Networking Looking for someone with a Force10 account (firmware) May 25, 2019
Networking Looking for an Industrial Switch May 22, 2019

Share This Page